# coding=utf8
# the above tag defines encoding for this document and is for Python 2.x compatibility
import re
regex = r"(EventCode=(4624|4634|4625)\X*Account Name:(\s+.*\.adm.*))|(EventCode=(4659|4663|5145)\X*Object Name:(\s+.*Test_share.*))"
test_str = ("05/03/2024 02:46:06 PM\n"
"LogName=Security\n"
"EventCode=4624\n"
"EventType=0\n"
"ComputerName=myhost\n"
"SourceName=Microsoft Windows security auditing.\n"
"Type=Information\n"
"RecordNumber=0\n"
"Keywords=Audit Success\n"
"TaskCategory=Logon\n"
"OpCode=Info\n"
"Message=An account was successfully logged on.\n\n"
"Subject:\n"
" Security ID: NULL SID\n"
" Account Name: -\n"
" Account Domain: -\n"
" Logon ID: 0x0\n\n"
"Logon Information:\n"
" Logon Type: 3\n"
" Restricted Admin Mode: -\n"
" Virtual Account: No\n"
" Elevated Token: Yes\n\n"
"Impersonation Level: Delegation\n\n"
"New Logon:\n"
" Security ID: DOMAIN\\user.adm\n"
" Account Name: user.adm\n"
" Account Domain: DOMAIN.LOCAL\n"
" Logon ID: 0\n"
" Linked Logon ID: 0x0\n"
" Network Account Name: -\n"
" Network Account Domain: -\n"
" Logon GUID: {}\n\n"
"Process Information:\n"
" Process ID: 0x0\n"
" Process Name: -\n\n"
"Network Information:\n"
" Workstation Name: -\n"
" Source Network Address: \n"
" Source Port: 63095\n\n"
"Detailed Authentication Information:\n"
" Logon Process: Kerberos\n"
" Authentication Package: Kerberos\n"
" Transited Services: -\n"
" Package Name (NTLM only): -\n"
" Key Length: 0\n\n\n\n"
"04/30/2024 04:49:05 PM\n"
"LogName=Security\n"
"EventCode=4659\n"
"EventType=0\n"
"ComputerName=MyHost\n"
"SourceName=Microsoft Windows security auditing.\n"
"Type=Information\n"
"RecordNumber=0\n"
"Keywords=Audit Success\n"
"TaskCategory=File System\n"
"OpCode=Info\n"
"Message=A handle to an object was requested with intent to delete.\n\n"
"Subject:\n"
" Security ID: myuser\n"
" Account Name: myuser\n"
" Account Domain: Domain\n"
" Logon ID: 0x580B3D59\n\n"
"Object:\n"
" Object Server: Security\n"
" Object Type: File\n"
" Object Name: D:\\Test_share\\prova.txt\n"
" Handle ID: 0x0\n\n"
"Process Information:\n"
" Process ID: 0x4\n\n"
"Access Request Information:\n"
" Transaction ID: {00000000-0000-0000-0000-000000000000}\n"
" Accesses: DELETE\n"
" ReadAttributes\n"
" \n"
" Access Mask: 0x10080\n"
" Privileges Used for Access Check: -")
matches = re.finditer(regex, test_str, re.MULTILINE)
for matchNum, match in enumerate(matches, start=1):
print ("Match {matchNum} was found at {start}-{end}: {match}".format(matchNum = matchNum, start = match.start(), end = match.end(), match = match.group()))
for groupNum in range(0, len(match.groups())):
groupNum = groupNum + 1
print ("Group {groupNum} found at {start}-{end}: {group}".format(groupNum = groupNum, start = match.start(groupNum), end = match.end(groupNum), group = match.group(groupNum)))
# Note: for Python 2.7 compatibility, use ur"" to prefix the regex and u"" to prefix the test string and substitution.
Please keep in mind that these code samples are automatically generated and are not guaranteed to work. If you find any syntax errors, feel free to submit a bug report. For a full regex reference for Python, please visit: https://docs.python.org/3/library/re.html